I think we might have rough consensus around TLS+PLAIN as the "Mandatory to Implement" mechanism. Note that having a single "MTI" mechanism still allows people to implement and use additional mechanisms. It also allows administrators to decide that TLS+PLAIN is not good enough for their site policy and disable it, even though their server software supports it as required.
Since there's not an official WG to poll, I'm basing this conclusion on a handful of private comments on this draft as well as messages to this list. If anybody wants to add their voice, please do so.
thx, Lisa On Jan 15, 2007, at 4:05 AM, Arnt Gulbrandsen wrote:
Alexey Melnikov writes:Simon Josefsson wrote:and TLS+CRAM-MD5This doesn't give anything over TLS+PLAIN and also doesn't support authorization identity.I am against this choice.TLS+CRAM-MD5 doesn't reveal the user's secret to the server. A very nice property if you're not 100% sure that you're talking to the right server.Arnt